Still could you tell me please: what generally you are trying to do ? Why are you storing the PHP code as a base64-encoded string ? If you are executing it later by eval(), please be very careful. eval() is a very dangerous function. It is necessary to be absolutely sure there is no way someone could inject his own code there.

jeddi

02-06-2010, 03:21 PM

Yer - I don't like it but this guy wants the code "hidden" so noone could see it !!!

I told him that the php is not seen in the browser anyway but I guess he is paranoid !
So I thought I would use base64 encode.

Anyway, thanks for your help, I can see the bug now.

Oh, and yes I was going to use eval().
I don't think anyone can inject code into it can they ?

.

SKDevelopment

02-06-2010, 04:26 PM

Do you mean you would like to store the PHP code in a cookie and then eval() it ? And the only protection is base64 encoding ? If this is true, any average hacker would be able to execute absolutely any his own PHP code at your system using this eval().

Cookies are stored at the client side. Browser sends them. You have no control over them. It is not too difficult to fake a cookie. It is sent as part of HTTP document - in the HTTP headers. So it is enough to connect to the server, pretend this is a browser and send any PHP code via cookie (using the corresponding HTTP header).

Cookies are considered as a potential user input. Which is not more difficult to abuse than GET or POST.

base64 encoding is no protection at all. It is too easily decoded.

In my opinion cookies must never be used for such a task.

And in my opinion eval() must be avoided whenever possible.

jeddi

02-06-2010, 07:36 PM

Thankls for your concern but this script is
not going in a cookie but resides on the server.

That's why I told him - the code would not be seen
by anyone. As you can see the code is the "doorway" to the
./index.php. It also sets some variables that are checked later
to ensure the the program was started by this script.

It is just a waste of time really, but he likes the idea that the
starting "doorway" script is encoded making it look unreadable.

However as we have just proved a programmer can easily open it up !!

Anyway, if he keeps him happy !!!

Thanks for your help.

ShaneC

02-07-2010, 07:41 AM

If you want something super secure and, in my opinion, more fun you can look into AES. If you set a key on the server side then you can encrypt whatever you want and store it whatever you want. You can also encrypt it using an identification hash of your own so that you can check the integrity of the string on decryption.